Specifying and Checking Security Properties in an Evolving Software Base

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden Research funded under this grant led to the development of techniques and tools for protecting privacy in a decentralized environment and achieving Byzantine Fault Tolerance (BFT), and a methodology that enables BFT replicas to run different implementations. The work led to an innovative new security model that allows static checking of security properties, a new annotation language for expressing security properties, extensions to Java that allow code to use the new model, lightweight tools for checking security properties of both source code (via a new compiler) and byte codes (via a new bytecode verifier), and a study of runtime support needed by the model. A new replications algorithm (BFT) that is robust against Byzantine failures was developed. It is efficient, works in an asynchronous environment and can be used to harden critical system services. An extension to BFT, called BFT with Abstract Specification Encapsulation (BASE), was developed to allow different software to run at different replicas so as to avoid failures due to software bugs. It provides a way of achieving practical N-version programming in which different versions are developed by different organizations and also the different versions may differ in the details of their behavior, i.e., support slightly different specifications.